Senior Communications Manager
Kirk Nahra Comments on Lawsuit Alleging HIPAA Violations in Data Transfer to Facebook
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted by Bloomberg BNA in a March 21 Health Care Daily Report article about a class action complaint against Facebook and medical websites involving the alleged transfer of personal health data. The proposed class of individuals alleges that the medical websites violated the Health Insurance Portability and Accountability Act (HIPAA) by transmitting users’ search information to Facebook, and that Facebook violated HIPAA by placing the individuals on targeted lists it uses to sell direct marketing opportunities to advertisers.
Mr. Nahra questioned whether there were actual violations of federal privacy law. “This seems to be a challenge to how Facebook interacts with health care company websites,” he said.
He added that “typically, any information from these sites—which would typically be used by random people seeking general information, not specifically for patient consultations, does not involve HIPAA-regulated information.”
Mr. Nahra said the data at issue in the suit may not be covered by HIPAA. “For example, if you go to a hospital website and search for ‘information about cancer,’ you are not a patient of the hospital and the hospital generally does not have any HIPAA obligations concerning your information from that inquiry,” he said.
“Facebook or Google or various other entities may have access to certain information through cookies and have ways to translate those inquiries into things like posted ads, but those issues don’t typically involve information that is actually regulated by HIPAA,” he added.